Bird
Raised Fist0
AWScloud~10 mins

Why VPC provides network isolation in AWS - Test Your Understanding

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to specify the AWS service that creates a private network isolated from others.

AWS
resource "aws_[1]" "main" {}
Drag options to blanks, or click blank then click option'
Aec2
Bvpc
Cs3
Dlambda
Attempts:
3 left
💡 Hint
Common Mistakes
Choosing EC2 instead of VPC, which is a compute service, not a network.
Selecting S3 or Lambda, which are storage and compute services, not network.
2fill in blank
medium

Complete the code to define the CIDR block that sets the IP address range for the VPC.

AWS
resource "aws_vpc" "main" {
  cidr_block = "[1]"
}
Drag options to blanks, or click blank then click option'
A255.255.255.0
B192.168.1.1/24
C10.0.0.0/16
D0.0.0.0/0
Attempts:
3 left
💡 Hint
Common Mistakes
Using a single IP address instead of a CIDR range.
Using 0.0.0.0/0 which means all IPs, not isolated.
3fill in blank
hard

Fix the error in the subnet resource to ensure it belongs to the correct VPC.

AWS
resource "aws_subnet" "subnet1" {
  vpc_id     = [1]
  cidr_block = "10.0.1.0/24"
}
Drag options to blanks, or click blank then click option'
Aaws_security_group.sg.id
Baws_subnet.subnet1.id
Caws_instance.web.id
Daws_vpc.main.id
Attempts:
3 left
💡 Hint
Common Mistakes
Referencing subnet or instance IDs instead of the VPC ID.
Using security group ID which is unrelated to subnet placement.
4fill in blank
hard

Fill both blanks to create a security group that allows inbound HTTP traffic only from inside the VPC.

AWS
resource "aws_security_group" "web_sg" {
  vpc_id = aws_vpc.main.id

  ingress {
    from_port   = [1]
    to_port     = [2]
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }
}
Drag options to blanks, or click blank then click option'
A80
B22
C443
D8080
Attempts:
3 left
💡 Hint
Common Mistakes
Using port 22 which is for SSH, not HTTP.
Using different ports for from_port and to_port.
5fill in blank
hard

Fill all three blanks to create a route table that directs internet traffic through the internet gateway.

AWS
resource "aws_route_table" "public" {
  vpc_id = [1]

  route {
    cidr_block = [2]
    gateway_id = [3]
  }
}
Drag options to blanks, or click blank then click option'
Aaws_vpc.main.id
B"0.0.0.0/0"
Caws_internet_gateway.main.id
D"10.0.0.0/16"
Attempts:
3 left
💡 Hint
Common Mistakes
Using the wrong CIDR block that does not represent all internet traffic.
Using a subnet or VPC CIDR instead of 0.0.0.0/0 for internet traffic.
Using a gateway other than the internet gateway.

Practice

(1/5)
1. What is the main reason a VPC provides network isolation in AWS?
easy
A. It provides unlimited bandwidth for all resources.
B. It automatically encrypts all data in the cloud.
C. It limits the number of users who can access AWS services.
D. It creates a private network space separate from other users.

Solution

  1. Step 1: Understand what a VPC does

    A VPC creates a private network space isolated from other AWS users.

  2. Step 2: Identify the isolation feature

    This private network space ensures resources inside the VPC are separated from others.

  3. Final Answer:

    It creates a private network space separate from other users. -> Option D

  4. Quick Check:

    VPC isolation = private network space [OK]
Hint: VPC means private network space, so isolation is by separation [OK]
Common Mistakes:
  • Confusing encryption with network isolation
  • Thinking VPC limits user count globally
  • Assuming VPC provides unlimited bandwidth
2. Which AWS component defines the IP address range for a VPC to isolate its network?
easy
A. Security Group
B. Subnet
C. CIDR Block
D. Route Table

Solution

  1. Step 1: Identify IP range setting in VPC

    The IP address range for a VPC is defined by a CIDR block (Classless Inter-Domain Routing).

  2. Step 2: Understand other options

    Security Groups control access, Subnets divide the VPC, Route Tables direct traffic but do not define IP range.

  3. Final Answer:

    CIDR Block -> Option C

  4. Quick Check:

    VPC IP range = CIDR Block [OK]
Hint: CIDR block sets IP range, isolating the network [OK]
Common Mistakes:
  • Confusing Security Groups with IP range
  • Thinking Subnets define the whole VPC range
  • Assuming Route Tables set IP addresses
3. Given a VPC with CIDR block 10.0.0.0/16 and a subnet 10.0.1.0/24, which IP address belongs to the subnet?
medium
A. 10.0.1.50
B. 10.0.2.5
C. 10.1.1.10
D. 192.168.1.1

Solution

  1. Step 1: Understand subnet IP range

    The subnet 10.0.1.0/24 includes IPs from 10.0.1.0 to 10.0.1.255.

  2. Step 2: Check each IP

    10.0.2.5 is outside subnet, 10.0.1.50 is inside subnet, 10.1.1.10 and 192.168.1.1 are outside subnet.

  3. Final Answer:

    10.0.1.50 -> Option A

  4. Quick Check:

    IP in 10.0.1.0/24 = 10.0.1.50 [OK]
Hint: Check if IP matches subnet range bits [OK]
Common Mistakes:
  • Choosing IPs outside the subnet range
  • Confusing subnet and VPC ranges
  • Ignoring CIDR notation meaning
4. You created a VPC but your instances cannot communicate with each other. What is the most likely cause?
medium
A. Security groups block all inbound and outbound traffic.
B. The route table has a route to the local network.
C. The subnet CIDR block overlaps with another VPC.
D. The VPC has no internet gateway attached.

Solution

  1. Step 1: Analyze communication issue

    Instances in a VPC communicate if security groups allow traffic.

  2. Step 2: Check options

    No internet gateway affects external access, overlapping CIDR causes conflicts but not internal block, route to local network is needed for communication.

  3. Final Answer:

    Security groups block all inbound and outbound traffic. -> Option A

  4. Quick Check:

    Blocked security groups = no communication [OK]
Hint: Check security group rules first for communication issues [OK]
Common Mistakes:
  • Assuming internet gateway affects internal traffic
  • Ignoring security group rules
  • Thinking route table with local route blocks traffic
5. You want to isolate two applications in the same AWS account so they cannot access each other's resources. Which VPC design best achieves this?
hard
A. Create one VPC with separate subnets and use security groups to isolate traffic.
B. Create two separate VPCs with non-overlapping CIDR blocks and no peering.
C. Use one VPC and rely on route tables to block traffic between subnets.
D. Create one VPC and use a single security group for all instances.

Solution

  1. Step 1: Understand isolation requirements

    Complete isolation means no network path between applications.

  2. Step 2: Evaluate design options

    Separate VPCs with no peering ensure full network isolation. One VPC with subnets or security groups can isolate but is less strict and more complex.

  3. Final Answer:

    Create two separate VPCs with non-overlapping CIDR blocks and no peering. -> Option B

  4. Quick Check:

    Separate VPCs = full network isolation [OK]
Hint: Use separate VPCs without peering for full isolation [OK]
Common Mistakes:
  • Relying only on security groups for full isolation
  • Using route tables alone to block traffic
  • Assuming one VPC can fully isolate apps without extra setup